Secrets in the Cloud - files. · PDF file + user id (e.g. IP or MAC...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Secrets in the Cloud - files. · PDF file + user id (e.g. IP or MAC...

  • Dominik Schadow bridgingIT

    Secrets in the Cloud

    JAX 2017

  • spring: datasource: username: myDatabaseUser password: mySuperSecretDatabasePassword


    1001 Arthur kvgkIu7ZuPIdK9G7WUA duTvd9TinwRlvA6foux mgxMZwUsPUdW6

    42 Secret

    1002 Zaphod wC28772M7AYVwLe2BOu dFl8VBo59KS5H1MbY9i riZpQhP6KCd33

    42 Secret

    1003 Slarti eHkuCs817pYySnk0aKl zDeZDCSiUSedCOABqcE sRVYzS1Uc8RzK

    42 Secret

    1004 Ford 3kQkFnjyt008yrIjnjf tZewS6j8yKIbywJYzvs 3HOGqtfYcAVV0

    42 Secret



  • Store technical

    and personal secrets securely

    in the cloud

  • Technical Credentials

  • Embedded Configuration

  • com.github.ulisesbocchio jasypt-spring-boot-starter 1.12

  • spring: datasource: username: myDatabaseUser password: ENC(vvnkG2pj//Jd1vXe7YtuLvyFCtKBA+CVOYAT9qwfB4yuv4jngb6r/g==)

  • jasypt.encryptor.password

    docker run -e jasypt.encryptor.password=sample-password -p 8080:8080 -t dschadow/sample

    System property Command line argument Environment variable

  • Better than before, but we are not there yet…

  • External Configuration

  • App

    Config Server

    Plain (git, svn)




  • Config Server Cryptography

    Properties starting with {cipher} will be decrypted before returned to client

  • # requires key # alternative: environment variable ENCRYPT_KEY encrypt: key: mySuperSecretKey

    Symmetric Encryption

  • # requires keystore or pem file encrypt: keyStore: location: classpath:/server.jks password: letmein alias: mytestkey secret: changeme

    Asymmetric Encryption

  • Endpoints must be secured

  • spring: datasource: name: config-client-db username: config-client-db-user password: '{cipher} AQAPseaUfV+p34giF9jspUa475vKWV3bLwJh9sL2Gco8xB0e4GG 0z24LRIVXz5SKtESd+t9mFFkfPxJ/SgxPNOgAl+naZSay088bug uJlpnYNHkNDafpoJmLGdeWq7ZTkdIeoCXpZWIioxz5e3GfWudsM jmcJ6smpq6J63OQkmHy6Z00av7kIKscNZksDDTikeKX02mnpGRe lBZfMYqsMF96v7o7tuAT15tTR1v6SHrUpJ83hSy8GgtWRR6egZa Tu8sYzJdkpjOmUMGXNI1flBvFdkWNt78BjzB5Lm4IiXINQFw6SO bcTCsUv3nQbFOELVqg9ajVHrbKi3oaGwcbgpYR3VGgBzAgX/B/T oS/WBRLtRViSXTANE9iCvqArik4Ynfti6KKROBVk9MFe8qMEiV'

  • decryption failure

  • Using Multiple Keys

    spring: datasource: password: '{cipher}{key:myFirstKey}AQUfV+...'

    Select existing key with {key:name} in properties file

  • Demo

  • „… centrally store, secure, and tightly control access to secrets across

    distributed infrastructure, applications, and humans.“

  • Internal key encrypts all data with AES

    This key never leaves the system

    Data is Always Encrypted

    High availability

    Configured storage backend never sees plain text

    File, Amazon DynamoDB, Consul, …

  • Secret Storage

    Store existing secrets

    Dynamically create new secrets

    Lease time for new secrets, automatic revocation

    Access control policies for secrets

  • Audit Logs

    Not active by default

    Detailed audit log of all authenticated client interaction

    Trace lifetime and origin of any secret

    Hashes sensitive information with HMAC-SHA256

  • Accessible via HTTP API or CLI

  • Unsealing requires configured number of master keys

  • vault server -config vault.conf

    vault init -key-shares=5 -key-threshold=2

    Unseal Key 1: Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Unseal Key 2: T00pjFgitbcy+JKOGI6DFgW/0jBdyrVriLdGu7PENbsC Unseal Key 3: YCOKtRUITlH3h155P5LM+2zLbFgIe4vwrOIhO7OWHqED Unseal Key 4: rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Unseal Key 5: glxtI6D0YjNfnsB97dp1owHoxTPt8A+HdAdoFrNh5P0F Initial Root Token: efe88b79-cf8b-825a-0f6f-ef1ca142782b

    export VAULT_ADDR=

    Shamir's Secret Sharing

    Only visible after initialization


  • vault unseal Pv/Xx49co4Zmed2McapSOr4jC4iiAvfd5EjvILMySJUB Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 87f350d5-2a25-a821-dc7f-2962fc49fe03

    vault unseal rTLOGu3emdWa4QyKysY6Tmice1u4QTEcUFIPlrMzz+cE Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce:

  • Authenticated Access Required

    Token - AppId - AppRole - TLS Certificate - AWS - GitHub - …

    static +

    user id (e.g. IP or MAC address)

    machine authentication role id + secret id

    cryptographically signed metadata of

    EC2 instance

    SSL/TLS client certificates

    GitHub access token

  • Path Based Secret Storage

    vault [ACTION] secret/spring-config

    mount point application

  • Each ‚User‘ is Assigned a Policy

    Policies use path based matching to apply rule

    Policy may constrain actions and paths

  • path "secret/*" { policy = "write" }

    path "auth/token/lookup-self" { policy = "read" }

  • CLI export VAULT_TOKEN

    = efe88b79-cf8b-825a-0f6f-ef1ca142782b

    HTTP API X-Vault-Token

  • vault write secret/spring-config db.password=config-client-db-password

    key/value format (generic backend)

  • Spring Cloud Vault

    /secret/{application}/{profile} /secret/{application} /secret/{defaultContext}/{profile} /secret/{defaultContext}

    Secrets are picked up during application startup

    Path based on application name and active contexts

  • Reading and Writing Secrets

  • Actuator Health Endpoint

  • Demo

  • Personal Credentials

  • API for Secret Management

    VaultTemplate to read, write, list and delete secrets;

    Similar to RestTemplate

  • Demo

  • We have created another system to monitor and maintain…

  • AWS Key Management Service (KMS) Master key to protect all keys

    Service for storing encryption keys

    Supporting cryptographic operations with these keys

    Access control and auditing functionality

  • Key Encryption Key (a.k.a. master key)

    Data Encryption

    Key 1

    Data Encryption

    Key 2

    Data Encryption

    Key n

    generate decrypt


    Storage (encrypted data encryption key)

  • Microsoft Azure 
 Key Vault

    IBM Bluemix 
 Key Protect

  • Summary Multiple options to protect sensitive data exist

    Keep it as simple as possible

    Jasypt for simple applications

    Config Server cipher for distributed applications

    Vault when required

    Consider cloud provider services

  • Demo Project AWS KMS Jasypt integration for Spring boot Spring Cloud Vault Pictures

    Marienstr. 17 
 70178 Stuttgart

    [email protected]

 Twitter @dschadow

    mailto:[email protected]?subject=